The US Congress seemed primed to move quickly to introduce a law that would oblige companies to inform customers when their personal information had been compromised, after a series of data breaches in early 2005.
Now, more than a year after data breaches at ChoicePoint and LexisNexis set off a national debate about identification theft and data security, time is running out for Congress to pass a law before it finishes business this year. Some proponents of a national breach notification law say it's unlikely that Congress will be able to pass a law by then.
Lawmakers have introduced more than 10 bills dealing with data breach notification since early 2005. The bills differ in several ways, including varying requirements about when a breached company should notify customers and whether consumers should be able to freeze their credit reports following a breach.
Beyond the confusion about the differences in the bills, five congressional committees have claimed jurisdiction over some of the data breach bills. "It's certainly a popular and pro-consumer issue to tackle," said David Sohn, a staff counsel at the Center for Democracy and Technology, a privacy and civil rights advocacy group. "It's difficult to see how Congress will reconcile all the bills."
In late 2005, a data breach notification law seemed virtually assured; even data brokers such as ChoicePoint advocated a federal law that would pre-empt state notification laws that were popping up across the US. About 23 states have passed their own notification laws, and backers of a federal law say interstate businesses will have difficulty complying with dozens of state laws.
Two data breach notification bills have passed through Senate committees and are awaiting action on the Senate floor, and two other bills are awaiting action on the House floor. A spokesman for Senator Dianne Feinstein, a California Democrat and early advocate for a national data breach notification law, said he's still hopeful a law will get through Congress this year, but others are less optimistic.
Both the House and the Senate have targeted 6 October to adjourn for the year, giving lawmakers about a month to campaign for the November general elections. Both legislative chambers will be out of session for most of August, and national issues such as immigration reform and gas prices are likely to dominate lawmakers' attention. When the new Congress takes office in January, all bills that didn't pass before the election will have to be reintroduced.
Asked Wednesday if a data breach bill would pass this year, James Assey Jr, a senior Democratic counsel in the Senate Commerce, Science and Transportation Committee, said he's unsure, even though data breach notification bills have enjoyed bipartisan support.
"It's unclear what Congress will do," he said during an ACM (Association for Computing Machinery) conference. "Going into the next Congress, I feel certain these issues will return."
Last month, a group of executives from IT security vendors came to Washington to push for a data breach bill, with some worried that Congress was letting the issue die. Organised by the Cyber Security Industry Alliance, the trip left some participants with continuing concerns that Congress has put the issue on the back burner.
Participants told lawmakers and staff: "You might want to poll your constituents and see if this is important," said Philip Dunkelberger, president and CEO of PGP. "We're saying, 'You need to get the legislation out there where people can have an open, public debate.'"